Cisco 877 Zone Based Firewall

Introduction
.

Full configuration overview of a Cisco 877 with IOS Version 12.4(15)T17

Enable SSH
hostname ROUTER ip domain-name EXAMPLE.LOCAL crypto key generate rsa general-keys modulus 1024

Set DNS
ip name-server 192.231.203.132 ip name-server 192.231.203.3

Configure Router Access
aaa new-model aaa session-id common aaa authentication login local_auth local enable secret PASSWORD no enable password username admin privilege 15 secret PASSWORD

security passwords min-length 6 security authentication failure rate 10 log login block-for 30 attempts 3 within 30 ip ssh time-out 60 ip ssh authentication-retries 3

line con 0 login authentication local_auth privilege level 15 exec-timeout 20 0 transport output all line aux 0 login authentication local_auth privilege level 15 exec-timeout 10 0 transport output all line vty 0 4 login authentication local_auth transport input ssh transport output all privilege level 15 exec-timeout 10 0

Securing access to the router
Optional as can be set using ZBF - make note here

ip access-list standard MGMT_V4 permit 202.129.80.80 permit 103.20.49.138 permit 10.39.41.0 0.0.0.255 deny  any log

line vty 0 4 access-class MGMT_V4 in

Add a note about the self zone and that by default it is a permissive zone

Set Time Zone and NTP
clock timezone AEDT 10 clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00 clock set 19:59:00 Aug 19 2013 sntp server 192.168.1.10 sntp server 203.0.178.191 sntp source-interface Vlan1

Configure/Secure Services
no service finger no service pad no service tcp-small-servers no service udp-small-servers service password-encryption service sequence-numbers service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone

no cdp run no ip bootp server no ip http server no ip http secure-server no ip finger no ip source-route no ip gratuitous-arps

Create Login Banner
banner login " ***************************************************** * UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED! * ***************************************************** * Unauthorised access may be subject to prosecution * *   under the Crimes Act or State legislation.     * ***************************************************** "

Configure Logging
logging facility local2 logging trap debugging logging console critical logging buffered

Secure Interfaces
interface dialer0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no cdp enable interface Vlan1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply

access-list 199 remark UNICAST RPF access-list 199 permit udp any any eq bootpc interface dialer0 ip verify unicast source reachable-via rx allow-default 199

Configure DSL Interface
interface ATM0 no shutdown

interface ATM0.1 point-to-point pvc 8/35 dialer pool-member 1 protocol ppp dialer

interface dialer0 ip address negotiated encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname USERNAME ppp chap password PASSWORD ! OR USE PAP COMMANDS

Set Default Route
ip route 0.0.0.0 0.0.0.0 Dialer0

Configure VLAN1
interface Vlan1 ip address 10.39.41.254 255.255.255.0 ip route-cache cef

Adjust MSS
the MAximum Send Size blah blah

Add link to MSS for VPN's

ip tcp adjust-mss 1412

Enable Cisco Express Forwarding
ip cef

Configure NAT
interface Vlan1 ip nat inside

interface Dialer0 ip nat outside

ip access-list extended NAT_CONTROL ! remark DONT TRANSLATE VPN TRAFFIC ! deny ip 192.168.1.0 0.0.0.255 remark TRANSLATE LAN TRAFFIC TO DIALER0 permit ip 10.39.41.0 0.0.0.255 any

route-map INTERNET_NAT permit 1 match ip address NAT_CONTROL

ip nat inside source route-map INTERNET_NAT interface Dialer0 overload

Local DHCP Server for LAN
ip dhcp excluded-address 10.39.41.1 10.39.41.99 ip dhcp excluded-address 10.39.41.151 10.39.41.254

ip dhcp pool ht   import all network 10.39.41.0 255.255.255.0 domain-name ht.local default-router 10.39.41.254 dns-server 192.231.203.132 dns-server 192.231.203.3 lease infinite

Authoratative DNS Server for Lan
ip dns server Refer to ===Set DNS=== and ensure forwarders are working ip dhcp pool ht   no dns-server 192.231.203.132 no dns-server 192.231.203.3 dns-server 10.39.41.254

ip dns primary ht.local soa htgw01.ht.local hostmaster@example.com 21600 900 172800 86400

Add some hosts. ip host myriad.ht.local 10.39.41.1 ip host htgw01.ht.local 10.39.41.254

Zone Based Firewall
Enabled logging of dropped packets.

ip inspect log drop-pkt

ip access-list extended ACL_GRE permit gre any any

Class Maps
class-map type inspect match-all CLASS_ICMP match protocol icmp class-map type inspect match-all CLASS_TCP match protocol tcp class-map type inspect match-all CLASS_UDP match protocol udp class-map type inspect match-any CLASS_GRE match access-group name ACL_GRE class-map type inspect match-all CLASS_PPTP match protocol pptp

Policy Maps
policy-map type inspect POLICY_INSIDE_TO_OUTSIDE class type inspect CLASS_PPTP inspect class type inspect CLASS_GRE pass class type inspect CLASS_TCP inspect class type inspect CLASS_UDP inspect class type inspect CLASS_ICMP inspect class class-default drop log

policy-map type inspect POLICY_OUTSIDE_TO_INSIDE class type inspect CLASS_GRE pass class class-default drop log

Security Zones
zone security INSIDE zone security OUTSIDE

Zone Pairs
Configure Inside to Outside traffic

zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect POLICY_INSIDE_TO_OUTSIDE

zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE service-policy type inspect POLICY_OUTSIDE_TO_INSIDE

Apply Zones to Interfaces
interface vlan 1 zone-member security INSIDE

interface dialer 0 zone-member security OUTSIDE

Example Custom Entries
An example of allowing a port from OUTSIDE to an INSIDE server.

ip access-list extended ACL_SUBSONIC permit tcp any any eq 4043

class-map type inspect match-all CLASS_SUBSONIC match access-group name ACL_SUBSONIC

policy-map type inspect POLICY_OUTSIDE_TO_INSIDE class type inspect CLASS_SUBSONIC inspect

ip nat inside source static tcp 10.39.41.1 4043 interface Dialer0 4043

The Self Zone
By default the self zone is a permissive zone so it should be secured. However securing it also means ensuring that services that need to communicate with the self zone are able to, such as routing protocols, VPN protocols etc.

ip access-list extended ACL_REMOTE_MANAGEMENT_V4 permit tcp host 202.129.80.80 any eq 22 permit tcp host 103.20.49.138 any eq 22

Not sure about whether this works to log traffic as testing was inconclusive..

deny  tcp any any

class-map type inspect match-any CLASS_REMOTE_MANAGEMENT match access-group name ACL_REMOTE_MANAGEMENT_V4 !match access-group name ACL_REMOTE_MANAGEMENT_V6

policy-map type inspect POLICY_OUTSIDE_TO_SELF class type inspect CLASS_REMOTE_MANAGEMENT pass

class type inspect CLASS_ICMP inspect class class-default drop log

zone-pair security OUTSIDE_TO_SELF source OUTSIDE destination self service-policy type inspect POLICY_OUTSIDE_TO_SELF